CVE-2008-0128

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions prior to 5.5.21

Description The issue concerns the SingleSignOn Valve in Apache Tomcat, where the JSESSIONIDSSO cookie is not set with the secure flag during an https session. This can cause the cookie to be sent in http requests, making it easier for remote attackers to capture the cookie. Specifically, when using the SingleSignOn Valve via https, the JSESSIONIDSSO cookie is transmitted without the secure attribute, resulting in it being transmitted to any content requested via http from the same server.

Recommendations For versions prior to 5.5.21, update to version 5.5.21 or later to resolve the issue. As a temporary workaround, consider configuring the SingleSignOn Valve to set the secure flag for the JSESSIONIDSSO cookie to minimize the risk of exploitation.